tv The Communicators CSPAN August 22, 2011 8:00am-8:30am EDT
>> siddartha mukherjee is a staff cancer physician at columbia university medical center. the author of trenton and the winner of the 2011 pulitzer prize in general nonfiction. to find out more and other to surprise winner, go to pulitzer.org. specters look at what's ahead this morning on c-span2. next, "the communicators." ..
>> candidate bios and the latest polling data, plus links to c-span media partners in the early primary and caucus states all at c-span.org/campaign 2012. >> this week on "the communicators," two critics of president obama's proposals reducing cyber threats against the u.s. marc rotenberg of the electronic privacy information center and larry clinton of the internet security alliance. this is part three of a monthlong series of cybersecurity. >> host: and this is week three of "the communicators"' series on cybersecurity. this week we're going to talk with some interest groups who have a stake in cybersecurity issues. first up, marc rotenberg of the electronic privacy information center, he's the executive director, and we want to talk to him about some only the privacy concerns from the white house cybersecurity proposals.
when you look at what the white house has released over the past few months, earlier this summer, where do your concerns lie? >> guest: let me begin by saying i think a lot of what the white house has done is actually very good. there are a lot of different agencies that need to be consulted, and i think the white house has done a good job of coordinating across several different agencies. a key issue which is how to insure security in cyberspace. that having been said, there are some privacy and civil liberties issues here because the white house is also claiming some new authority for the government to collect information on how people use the internet as well as some new authority to intercept private communications. ask we understand -- and we understand why they may want to do that, but we think when these types of activities are looked at closely, the need for clear legal standards really becomes apparent, and i would begin by saying that i think one of the key privacy concerns is that
when the government takes these powers, there have to be very clear legal reasons and clear accountability and oversight. >> host: and in response to what the white house has released, you said there should be legal standards, not voluntary guidelines. >> guest: yes. this is a key point because i think what the white house is trying to do is to address privacy and civil liberties concerns. i hear a lot about this, and i think they are genuinely recognizing that these are important issues, but at the same time they seem to be reluctant to take the type of meaningful steps we would like. so, for example, you could update the federal wiretap law. it's been 25 years since there have been significant amendments to that act. people are using communication technologies in new ways, and the white house could say in conjunction with our cybersecurity efforts, we want to update that law to make sure it provides the same kinds of protections we tried to
establish 25 years ago. you probably need some new types of oversight because you've got government collecting information in new ways, and those kinds of concrete proposals, i would say, are still missing. >> host: and finally before we get our guest reporter involved here, mr. rotenberg, you talked about some of the new authority the white house calls for. could you give an example of that? >> guest: well, the department of homeland security is pursuing a new security technique which they call first intrusion detection and then intrusion prevention. i think the name for the project is einstein three, and maybe we'll see an einstein four soon. what they are trying to do is to identify specific activity on the internet that looks malicious, and they want to have better tools to identify that activity and to prevent it. but that technique also gives the government new ways to capture information online. our obvious question is how else might that technique be used?
and i would say before we go to gautham, the other point to make is we've just recently seen how governments can use these kinds of authorities in ways that cause us concern. and this is not just, you know, about china and its firewall that blocks access to internet web sites or even egypt where, of course, they suspended access to the internet for a period of time. now we have the prime minister of great britain talking about limiting access to social networking services, and even here in the united states the transit authority in the san francisco bay area was able to turn off cell phone towers because they were concerned about political protests. so i think we immediate to recognize the significance of some of these which is probably a bit abstract to come of your -- some of your viewers. >> host: gautham nagesh with the hill newspaper. >> host: thanks for having me. you talked about the
government's ability to block portions of the internet, obviously, a hot topic given the protests in the middle east and now the violence in london. this plan doesn't specifically seem to address whether or not the president can intercede. however, the white house has consistently maintained that the president does have the authority to take action in private networks under a very -- 1941, i believe, provision of the act. >> guest: this is one of those policy debates that i think people in washington just love. i mean, the heading for this, of course, is the internet kill switch. and the big concern that people had when they first looked at some of the proposals for cybersecurity, and i think it was actually in one of the legislative proposals on the hill was somehow the president would go down in the basement of the white house and flip this big switch to the off position, the internet would stop working. i think realistically that couldn't happen for lots and be lots of reasons -- lots and lots of reasons. the internet is simply not
designed in that way to centralize that type of control. it was interesting when it happened in egypt last year. that was mostly because there were four access points to the internet that actually made it possible for the egyptian government to do that. i don't think that would happen in the u.s. but what your question does go to is what type of authorities would the president have in a genuine cyber warfare scenario. so in that sense this mirrors some of the other debates that are taking place right now about when does the president need to go to congress, and the white house does need to think about those issues because we've found ourselves in a cyber war scenario, the president would have to make some decisions particularly if internet was, you know, part of the battlefield. >> host: i think a lot of people at home are wondering if we were to see and, forcue nailly, that doesn't appear to be the case, events similar to what we're see anything london or even the san francisco transit authority as
you mentioned, is that something under this cybersecurity proposal that could take place? could the federal government shut down portions of, say, a social media site if they felt it was being used to stoke violence? >> guest: i think it would be difficult to do, but we do have some experience in the united states that's a bit of a warning, you might say, and that's surrounding wikileaks. when the u.s. government began to express concern about wikileaks' activity and you had secretary clinton and senator lieberman talking about the problem there, they were also talking about, you know, companies that were providing cloud-based services the wikileaks, enabling support directed toward wikileaks, and we actually began through the freedom of information act to explore the question was the u.s. government actually putting a little bit of pressure on u.s. firms to back off support for an organization that they believed was controversial? so i think there are ways this
could happen. i don't think it would be quite so dramatic as i said before of cutting off access to the internet, but there are other ways to accomplish similar goals. >> host: now, um, switching gears a little bit, in your view does this proposal seem consistent with the administration's previous actions with regards to collecting data both online and off? because there are privacy of advocates who have criticized this administration as consistently increasing law enforcement's ability to access consumer individual data. >> guest: yes. well, i think the proposal does not go as far as it should go to protect privacy. i think that's the view that's generally held across the privacy and consumer user community that the white house could be doing more to promote specific legislation. the white house talks a lot about self-regulation which is another way of saying they hope that the problem will solve itself. but i don't think most people have experienced identity theft
or read about all the recent incidences of security breaches feel that the problem is solving itself. so, um, we would like to see them do more. to the extent that it's been consistent and not setting out a legislative agenda, i guess that's true but not so good for us. >> host: so, marc rotenberg, when you read through the white house's proposals on cybersecurity and you see the references to private industry and public/private partnership bees, does that concern you? >> guest: well, here the white house is trying to actually manage the relationship with the private sector in a way that will maintain private sector's support. so, for example, the private sector has said that they don't want a legislative mandate, they don't want the goth to take over -- the government to take over some of the critical infrastructure that they're responsible for. the white house and the department of homeland security is concerned that if some of those networks, for example, the remotely-operated electronic grids, let's say, or a water supply or gas supply, much of
this today is now tied into the internet. so you begin to think about scenarios where those actually become vulnerabilities, and the white house, of course, has some responsibility to safeguard those critical functions. so what they've tried to do in the private sector is say we want to work with you, we need you to to provide us information, we will provide you with information. but from the user perspective that also creates some risk because now you may have data about user activity moving back and forth between the private company and the government without any kind of real independent oversight. and in that relationship we've said there has to be consideration of the user, of the consumer. >> host: does the white house cybersecurity proposals, do they address penalties for privacy breaches? >> guest: they do but in a way, actually, we do not support because part of the agreement and the proposal to get the information from the private sector over to dhs is to immunize the private sector companies that are disclosing
information about their customers and users from any liability. now, if you're a user or a customer of one of these companies who's not the subject of a criminal information, you might wonder why your data ended up over at the department of homeland security, and the only real way you would have to effect some change in that practice would probably be to bring a lawsuit. so if white house immunizes those companies which is, by the way, very similar to what president bush did around the, you know, patriot act amendments when the lawsuits were going forward charging violations of wiretap law, it's basically the internet users' rights that are being ignored. >> host: this is "the communicators" program on c-span. we are in the third week of a series on cybersecurity issues. this week we're talking with marc rotenberg of the electronic privacy information center. gautham nagesh is our guest reporter. >> host: thanks, peter. marc, sticking with critical infrastructure, you spoke about
some of these companies, the electric grid, but we have also heard this will likely include internet service providers, financial services firms. that in particular would probably raise some privacy concerns for consumers given once dhs or the federal government has access to this data, it's not clear whether or not they would be able to use it for ore purposes. -- other purposes. >> guest: i think the white house's instinct in this area is correct which is to say that what they've put this report is the goal of insuring that the information that they gather will only be used for purposes consistent with their cybersecurity mandate, and we agree with that. but we'd like to see that set out clearly in the legislation and not create a situation which oftentimeses happens in government where they get the information for one purpose and they say, well, you know, we could also use the information because now we've got all this data for some other purposes. maybe it's criminal investigation, maybe it's, you know, tax collection. i mean, who knows what it might
be. and those other purposes might actually seem reasonable at the time. but you see, when you open the gates in this way and enable this type of data from the private sector to the government, it's really the interests of the individual user that i think need to be safeguarded, and the way you have to do that is through legislation. >> host: so what kind of legislation are we talking about specifically? would you like to see warrants necessary in terms of using data, or can you explain a little bit? >> guest: well, as a general matter we think that you do need judicial approval before you intercept private communications in the united states. that's really the core principle in the federal wiretap laws. of course we have exceptions, but you want those to occur around the edges in special circumstances. you don't want the core principle of judicial review before there's an intercept taking place to be replaced by a new core principle that says the government routinely gets access to user data from isps to see if there's anything they need to
know about. that could easily happen over time, i think, if some of the language in the legislative proposal is not tightened up a bit. mr. rotenberg, you've endorsed or epic has endorsed senator leahy's personal data privacy and security act of 2011, why are you in favor of this legislation? >> guest: i think what senator leahy is trying to do is strengthen data breach notification. now, this is an interesting development to the privacy world. basically, it's the requirement that's placed on companies to tell their customers when information about them has been wrongfully disclosed. it may not be, you know, quite as satisfying as knowing that their information is always protected, but what we've learned increasingly is when the user data gets out there, there are new opportunities for financial fraud and identity theft. and, of course, a company's taking a bit of a hit when it has to concede it didn't follow adequate security practices.
so senator leahy is trying to strengthen the data breach notification requirements including some new penalties which i think would be very good. another issue which he has addressed and others on the hill as well which is moving to the fore i would say in the privacy world is the notion of data minimization, recognizing that it's oftentimes difficult to protect the information that's being collected. i think the view in the expert community and the privacy community is that increasingly companies really need to think about is it such a good idea to collect so much information about individuals. i mean, do you really need social security numbers on your customers if you don't have tax reporting requirements? do you really need to keep financial information? and should the information that you're keeping, should that be routinely encrypted? those are also topics senator leahy and others have looked at. >> host: is the legislation similar to what mary bono mack
is pursuing? >> guest: well, congresswoman mack's legislation on the house side, i think, is a good starting point, but i don't think it goes as far as congressman rush's bill from the last congress. one of the accomplishments in the last congress was to recognize, also, the significant role that the information broker industry plays in this particular area and the need, i think, to establish some new privacy safeguards for that industry. what congresswoman bono mack felt was at this point she just wanted to focus on the security side without looking at the privacy issues. our view is that the privacy issues need to be considered at the same time. >> host: final question, mr. nagesh. >> host: speaking to data minimization, we've seen attention there between the privacy experts and many industries feel there needs to be as little data kept as possible whereas in law enforcement, and we've seen in the house bill which under the
purpose of cutting down child porn -- >> guest: yes, i testified on that bill. >> host: and be i was at the hearing where you testified on that. can you speak to that tension? and the white house proposal appears to be more sympathetic to law enforcement's need to be able to access information. where do you see the proposal coming down on that divide? >> guest: i don't know what the outcome will be, but i do know having studied the history of privacy law in the united states that i think one of the accomplishments in our original privacy be legislation was to say to law enforcement quite explicitly you really should only collect the information that's necessarily related to the criminal investigation you're pursuing. so it is actually the case that currently in federal wiretap law there are minimization procedures and other legal obligations that help insure that information about innocent people is not gathered. that's the change, and i don't see a reason to make that change at this time. >> host: marc rotenberg is the executive director of the
electronic privacy information center. how is epic funded? >> guest: you know, i've been struggling with that issue for a long time. we don't take money from the private sector, and we don't take money from the government, so we basically get contributions from individual donors, some litigation we pursue and some of the books we sell. we're a modest group, but we think it's an important issue and, certainly, it's an issue a lot of people are concerned about today. >> host: previously, he served as counsel to senator patrick leahy, former chair of the public interest registry and most interestingly he is a three-time chess champion for washington d.c. mr. rotenberg, as always, we appreciate your being on "the communicators." we will be right back with larry clinton of the internet security alliance. and now on your screen is larry clinton who is president and ceo of the internet security alliance. mr. clinton, if we could start by finding out what the isa is. >> guest: the internet security
alliance is a trade association, it was created back in 2000, and it represents virtually every aspect of our nation's critical infrastructure, aviation, banking, communications, defense, education, financial services, etc. and we are, our mission statement is to take advanced technology and blend it with public policy and economics to create a sustainable system of cybersecurity. so we're a security organization, and we represent our company's security interests. >> host: well, when you look at the cybersecurity proposals put out by the white house this summer, what's your general reaction? where do you support it, what concerns you? >> guest: well, there are a number of things in the administration's proposal that i think have broad support, things such as providing more cybersecurity education, developing a much better system within the government to manage their own cybersecurity research and development on next
generation items. i think where we feel that the administration, um, has not met our expectations is when they deal with the private sector. the private sector owns, operates and, frankly, creates the vast majority of what is the internet, and we don't believe that without a robust and really engaged partnership between the public sector and the private sector we're going able to to achieve the sort of sustainable system that the internet security alliance is interested in. and so we, we're disappointed with the entire section really that dealt with developing a model for working between the president, the administration and the private sector. >> host: why are you disappointed? what specifically disappoints? >> guest: well, so i attended a conference about a month or so ago out at george mason university, and one of the head white house staff for cybersecurity was giving the keynote address.
and at the end of the address he was asked, so give us the future. what would all this mean? and he said that he believed that by 2012 we will have solved all of the cybersecurity problems from 2005. and i thought that was a pretty accurate and candid view of what the administration's proposal does. they are fighting the last war. the model that they are using for dealing with the private sector is largely antiquated. um, it doesn't really recognize the movement that we have in terms of data moving largely out of the control of individual enterprises and now moving to the cloud. it doesn't really appreciate the advanced nature of some of the really serious threats that we're dealing with, things we call the apt, the advanced persistent threat. that's very sophisticated sorts of attacks, often nation-centered. instead it takes up sort of
punitive sarbanes-oxley kind of approach to the private sector that we think really creates the wrong incentives, and what we really need is a positive be engagement with our government partners as opposed to kind of a punitive name and shame model. that's not going to provide the sorts of investment we really need. >> host: and, in fact, a quote from the internet security alliance when the proposals first came out: it would be much better if companies were proactively incented so that they wanted to find cyber attackers. >> host: what would be proactively incenting a company? >> guest: well, ironically, when president obama released his cyberspace policy review which was in march, i'm sorry, in may of 2009, he in his own document
cited a number of these things. so we're talking about using liability incentives, we're talking about using, um, procurement incentives. the president at that time -- this was 2009 -- suggested that we needed to provide tax incentives. we think that we can also use streamlined regulation. we can do an awful lot more to bring the insurance industry into the cybersecurity equation. what we need to do is get organizations to invest more in cybersecurity, to go a step that is, frankly, beyond what is demanded by their corporate commercial interests and reach a security level that is the national interest. and those are different things. be. >> host: gautham nagesh of the hill newspaper. >> host: thank you. you spoke about the private sector's reaction to the plan. the white house has taken great pains to cast this proposal not as a regulatory model, but as a
collaboration with the private sector. but we have heard criticism such as from melissa hathaway that there was not enough private sector input be. how does the isa view, how -- were your firms contacted? how much input bid they have in the formulation of this plan? >> guest: unfortunately, we had virtually no direct involvement in in the development of the administration's current regulatory proposal. and by the way, the title is cybersecurity regulatory framework for the be critical infrastructure. so there's really no doubt that they have proposed here developing a fairly extensive regulatory structure and, again, that that is precisely the opposite of what the president himself promised when he released the cyberspace policy review back in 2009 where he said that they were not going to adopt a regulated posture. um, the private sector from
everything i know had no input into the development of this proposal quite different, frankly, than the development of the cyberspace policy review where previously the national infrastructure protection plan where were all created -- which were all created through a partnership model. the private sector went to great pains to put together a very detailed paper bringing together the users, the providers, civil liberties, the community, a 33-page detailed paper built on the national infrastructure protection plan and the cyberspace policy review to try to advance the ball moving forward. and we presented that to the administration, and we got a one-hour meeting, and we asked to see their plan, you know, show us yours, we'll show you ours, and we never heard back from them. we didn't see the administration's proposal until they sent it to the congress. >> host: now, the administration proposal gives dhs the
authority, essentially, to enforce whatever security standards which they say will be developed in consultation with industry. as you say,, they're saying not criminal sanctions or civil liability, but as you said, name and shame. they're going to publish the results of security audits in order to incentivize companies. i take it that's not an enforce mechanism that the isa can get behind. >> guest: it's the wrong sorts of incentives. you need to understand what we're dealing with here with these modern attacks going back to the notion that we're not dealing with 2005 cybersecurity, we're dealing with in many instances these very sophisticated attacks. i mentioned before the advanced persistent threat. this is nsl-level attacking. these guys are pros, okay? they're not kids in basements. these guys are very sophisticated, very well organized, very well funded,
they are probably state-supported. um, so for a corporation to be going up against, essentially, a nation state that is attempting to attack them is similar to adopt dick clark's analogy, it'd be similar to the pentagon going to u.s. steel during world warl ii and saying, well, we think the germans hay attack, you guys should buy some anti-aircraft weaponry. it's entirely the wrong model. these modern attacks are designed to be stealthy n. the old days, attackers publicized their attacks. now they go in there, and they hide. the idea is that you don't know that you have been attacked. so what the administration's proposal does is provide an incentive not to look. we need to provide incentives for corporations to be redoubling their efforts to find these very, very sophisticated attacks. and if corporations feel that
they are -- if they find the attack they're going to be put up on a web site, and they're going to get a bunch of negative publicity, their stock price is going to go down, not only do they not have an incentive to look for these successful attacks, but we've provided an incentive for foreign entities to attack these entities hoping they get discovered and their stock prices go down. this is a punitive model where we're trying to blame the victims of the attack. what we need is a constructive model where the government tries to find things it can do to encourage and assist american companies to provide the right incentives so that we are enhancing our cybersecurity systems, not blaming people when china's successful attacking them. >> host: well, but, larry clinton, don't consumers have the right to know if their personal information from either sony or whatever has been attacked, don't they have a right to k